On Nov 2, 2022, at 17:49, Michael Richardson <[email protected]> wrote: > > 002 "dooku--ipv6" #14: Bid-down to IKEv1 attack detected, attempting to rekey > connection with IKEv2 > > I've NEVER seen a real one of these in the field. I'm on a Eurostar train's > wifi. > Could it be some helpful NAT44?
Likely bad matching on magic bytes that include the exchange type to block VPNs? That code is relying on vendor id’s in IKEv1, but those payloads are not signed in IKEv1. If there was a a real attack they would also strip the CANv2 custom vendorid. That is one of the reasons why libreswan removed this detection code. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
